Monday, August 27, 2012

In the earlier parts of the series we looked at the GET and POST based injections and dived into details on error based SQL Injections (string type, Integer type), Double Query injections error based, Blind injections (Boolean based and Time based) or use the outfile/dumpfile to dump the info in text files . In this part we would look at the injections in the Insert Query. For this we would look at the Less-17.
A general update query looks like

INSERT INTO table (col1,col2, col3) values (val1,val2, val3);

For the purpose of the lab, we would be using the Less-18 and Less-19. These are different Lessons as the injection is in the insert Query and that to in header fields. The Less-18 talks about the injection in the "useragent" field and the Less-19 talks about the injection in the "referrer" field.

"Less-18 - INJECTION IN THE USERAGENT FIELD"

"Less-19 - INJECTION IN THE REFER FIELD."

For the purpose of fuzzing these input points we need to write a script or use interceptor proxies like Tamper data (add on for Firefox), Burp suite, Fiddler, Zap, or any other tool which allows you to modify the headers on the fly.

These sort of injections where the Header fields are being inserted into the database, our focus is to check if the data can be extracted from it is certain way. Well blind is always an option and we can use Boolean or time based injections. The process works but is overall slow.

In cases where MySQL errors are displayed by the application, this can be used to dump the values efficiently and with much lesser number of queries as compared to Blind based. The logic of Double query injections is used to dump the info.